In my company it's our first time using AWS Elastic Beanstalk to deploy webapps and we are having difficulties to make it work over https. The application is running in single node (we aren't using a load balancer) and is written with CodeIgniter 3 in PHP 8.0 running over the EB platform v3.3.10. Now we have an environment with it working over http, while we try make it work over https.
We are using Apache as proxy server and we have generated the configuration files as mentioned in the docs. But we keep receiving errors during the deployment: deployment error snapshot
To simplify things we started trying to deploy a simple "hello world" app and make it work over https, but we keep failing... we don't know what we are failing at, what we are doing wrong...
The config files that we have made are the following ones.
https-instance-single.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
And https-instance.config
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
My certificate
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
My private key
-----END RSA PRIVATE KEY-----
The "funny" thing is that if we change mod24_ssl for just mod_ssl, it doesn't produce an error while deploying it, but still it doesn't work and doesn't expose the 443 port. We have checked it with telnet and it's closed.
We have checked in the security group that HTTP and HTTPS inbound traffic is enabled.
We suppose that we are not the first ones having this problem and it might be something that we have done wrong and hopefully something easy to make it work. So if someone reads this and knows what could it be, we really appreciate any help that you can provide.
Thank you
Version 3.3.10 is based on Amazon Linux 2 (AL2), however all your settings are for AL1 which do not work in the new version.
To property setup your httpd in EB based on AL2 you have to use .platform folder, not .ebextentions. All details are in AWS Docs under Reverse proxy configuration and Configuring Apache HTTPD sections.